Risk - NBQ Outsourcing Policy vF.pdf

Document Type Policy Category Governance Document Name Outsourcing Policy Document ID ORM/POL.04 Data Classification Internal Documen...

Document Type Policy Category Governance Document Name Outsourcing Policy Document ID ORM/POL.04 Data Classification Internal Document Owner Head of Risk Effective Date 15-JUN-2022 Revision Number 01 Renewal Date 14-JUN-2023 For Internal Use Only Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Table of Contents 1. Outsourcing Policy........................................................................................................... 3 1.1 Purpose and Objective.......................................................................................................... 3 1.2 Departments Involved / Scope.............................................................................................. 3 1.3 Abbreviations Used............................................................................................................... 4 1.4 Key Information / Definitions / Introduction......................................................................... 4 1.5 Outsourcing Framework........................................................................................................ 5 1.6 Risks & Materiality................................................................................................................. 6 1.7 Overview of Outsourcing Lifecycle.................................................................................... 10 1.7.1 Outsourcing Strategy Analysis Phase.........................................................................10 1.7.2 Initial Risk Assessment................................................................................................11 1.7.3 Materiality Assessment:...............................................................................................11 1.7.4 Project Charter/Team Set up........................................................................................11 1.7.5 Initiation & Selection Phase.........................................................................................12 1.7.6 Transition Phase...........................................................................................................15 1.7.7 Value Delivery Phase....................................................................................................16 1.8 Ownership, Roles and Responsibilities............................................................................. 17 1.8.1 Roles and Responsibilities of the Board.....................................................................17 1.8.2 Roles and Responsibilities of Senior Management....................................................18 1.8.3 Roles and Responsibilities of Departments................................................................18 1.9 Policy Statement.................................................................................................................. 21 1.10 Outsourcing in Compliance with Central Bank’s Consumer Protection Regulation....... 21 1.11 Policy and Procedure Interactions / Connections............................................................. 23 1.12 Annexures / Attachments / Supporting Documents.......................................................... 23 1.13 Key Controls / Management Reports.................................................................................. 24 2. Approval Sign-off............................................................................................................ 28 3. Revision Log.................................................................................................................... 29 ORM/POL.04 Revision 01 (15-JUN-2022) Page 2 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 1. Outsourcing Policy The aim of this document is to assist NBQ in structuring outsourcing arrangements in a manner that allows for realization of the benefits of outsourcing while ensuring that NBQ can fulfil its obligations to its Customer and the Central Bank of the UAE. To accomplish this, aim the document provides a framework for the management of outsourcing initiatives that comply with UAE-CB Outsourcing Regulation (CBUAE/BSD/N/2021/2909) and align with international best practices for the management of outsourcing initiatives. The framework adopted throughout this document is the Outsourcing Life Cycle Model. 1.1 Purpose and Objective The purpose of this document is to outline the general policies, procedures, and prudential measures to be followed throughout the outsourcing life cycle with the aim of accomplishing the following objectives: a. Ensuring that outsourcing initiatives are in line with NBQ’s overall strategy and business requirements b. Ensuring that material risks are identified, assessed, understood, and monitored throughout the lifecycle of an outsourcing initiative. c. Providing clarity of the roles and responsibilities of various functions with regards to outsourcing initiatives. d. Adherence to the guidelines of the UAE Central Bank with regards to outsourcing e. Ensuring that the Bank is able to meet its financial and service obligations regardless of whether the business activity is undertaken by the Bank itself or outsourced. Considering the previous objectives this policy is applicable to the following: a. NBQ Directors, Employees, Representatives and Temporary Workers b. All NBQ branches and Head Office c. NBQ third party service providers and their sub-contractors if relevant 1.2 Departments Involved / Scope 1. Activities in Scope of Outsourcing Policy: The outsourcing policy is applicable to the following activities: a. Business process outsourcing, examples include loan origination, credit card processing, marketing and research, and document processing. b. Information technology outsourcing examples include data base management and help desk support. 2. Activities Out of Scope of Outsourcing Policy: This policy however does not apply to the following activities: a. Annual maintenance of software applications b. IT Hardware and Infrastructure procurement c. Security Solution Licenses d. Chartered Accountant Engagements e. External Auditors f. Consulting Engagements ORM/POL.04 Revision 01 (15-JUN-2022) Page 3 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 g. Outsourcing of activities not related to Banking Services, examples include couriers, catering, and security services. In addition to the after mentioned out of scope activities as per UAE-CB regulations the following functions cannot be outsourced: a. Senior Management Oversight b. Credit Management and Decisions c. Risk Management d. Compliance e. Internal Audit f. Management of risk-taking functions including credit, investment and treasury management. 1.3 Abbreviations Used NBQ National Bank of Umm Al Quwain CBUAE/ UAE-CB Central Bank of UAE SLA Service Level Agreement PMO Project Management Office NDA Non-Disclosure Agreement RFP Request for Proposal CPR Consumer Protection Regulation 1.4 Key Information / Definitions / Introduction The Outsourcing Lifecycle Model splits a given outsourcing initiative into four distinct phases - Strategy Analysis, Initiation & Selection of Service Provider, Transition, and Value delivery. The framework then defines the key processes and exit criteria of each phase while assigning roles & responsibilities for key NBQ stakeholders. In order to aid in the execution of the Outsourcing Lifecycle Model, the remainder of this document is split into six sections. The General Policies section seeks to define outsourcing, establish the scope of activities that can be outsourced, and provide an overview of relevant NBQ documents & Policies. In addition to the above the General Policies section highlights elements that are to be included in NBQ’s overall risk governance framework. The Regulatory requirements section aims to give stakeholders an overview of the UAE Central Bank Regulations on Outsourcing and outline the policies for fulfilling key documentation requirements and special considerations for outsourcing outside the UAE. The documentation requirements addressed by the section outline the process for maintaining the outsourcing register and requesting Central Bank Non-Objection. The Outsourcing Framework section introduces stakeholders to the lifecycle model. Additionally, it seeks to define the objectives for each phase and the key processes involved. The Risk & Materiality section defines the key outsourcing risks and suggested controls based on market best practice, in addition to giving an overview of the materiality assessment process. The Overview of the Outsourcing Lifecycle Section aims to give stakeholders an overview of each phase and defines the best practices for each of the processes involved in the outsourcing life cycle. ORM/POL.04 Revision 01 (15-JUN-2022) Page 4 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 The Final Section aims to provide stakeholders with an overview of the main roles and responsibilities of the Board, Senior Management and NBQ departments with regards to Outsourcing. Material Business Activity: an activity that has the potential if disrupted to have a significant impact on the Bank’s business operations or its ability to manage risks effectively. Outsourcing: an agreement between the Bank and another party either within or outside the UAE, including a party related to the Bank to perform on a continuing basis an activity which is currently or could be in the future undertaken by the Bank (CB- UAE Outsourcing Regulation (CBUAE/BSD/N/2021/2909). 1.5 Outsourcing Framework NBQ’s outsourcing framework consists of four stages that define the outsourcing lifecycle, figure (2), gives a brief overview of the framework. Figure (2): 1. Strategy Analysis: The Strategy Analysis phase is the first step in the outsourcing life cycle it is initiated with a request from a department of NBQ to outsource a product/process/service. The main objectives of the Strategy Analysis Phase are the following: a. Ensuring that outsourcing initiative is in line with NBQ’s overall strategy. b. Ensuring that key NBQ decision makers have a full understanding of the initiative in terms of risks and materiality. c. Ensuring that a project sponsor is designated and defining key stakeholder roles and responsibilities. 2. Initiation & Selection: The initiation & selection encompasses the vendor selection process, contact negotiation and regulatory notification. The main objectives of the initiation & selection phase are the following: a. Ensuring that appropriate requirements, service levels and control measures are defined by the Bank. b. Ensuring that an appropriate due diligence is undertaken of selected service provider ORM/POL.04 Revision 01 (15-JUN-2022) Page 5 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 c. Ensuring that the Board or a committee of the Board has been adequately informed. and has approved the outsourcing arrangement as required. d. Ensuring that outsourcing agreements incorporate the minimum requirements outlined by UAE- CB e. Ensuring that the UAE-CB is notified and provided with all necessary information to grant a non- objection as outlined in section V, subsection 4 of this document. 3. Transition: The transition phase is initiated after the granting if UAE-CB non-objection in case of Material Outsourcing and signature of the agreement with the selected service provider. The objectives of the phase are as follows: a. Ensuring that the transition team and plan from both NBQ and the service provider are defined b. Ensuring that controls relating to data protection, risk management and regulatory compliance are tested with service provider c. Ensuring that an adequate joint governance structure is put place defining, roles and responsibilities of NBQ, service provider and sub-contractors if applicable, along with set up of joint governance committees. d. Ensuring that appropriate provisions for business continuity and disaster recovery are in place, including contingency plans to bring the service back in-house or transition to an alternate service provider. 4. Value Delivery: The Value Delivery phase is initiated after go-live of product/process/service from the service provider’s site. The main objectives of the value delivery phase are as follows: a. Ensuring that the performance and service level by service provider adheres to the SLAs and requirements defined in contract. b. Ensuring that internal audit can obtain all information necessary to provide assurance to the Board. c. Ensure that outsourcing service providers are fully prepared to implement NBQ’s business continuity plan. d. Ensuring that risks are identified, measured, monitored, and reported. e. Ensuring non-performance related terms of the contract are monitored (financial obligations and end/extension dates). 1.6 Risks & Materiality I. Key Outsourcing Risks: In order to ensure that material risks relating to outsourcing are identified, measured, managed or mitigated and reported to the board, Table (3) outlines the key risks relating to outsourcing and their minimum suggested controls. ORM/POL.04 Revision 01 (15-JUN-2022) Page 6 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Table 3 Sn. Outsourcing Definition Suggested Controls Risk 1 Strategic Risk Failure to achieve Bank’s Strategic ▪ Ensuring that NBQ’s strategy and objectives arising from: objectives are well defined, ▪ Failure to consider NBQ’s communicated and considered overall strategy when during outsourcing arrangements. outsourcing ▪ Thorough review of service ▪ Service Provider engaging in provider activities, business and activities that contradict NBQ’s goals to ensure alignment with strategic objectives. NBQ’s strategy. 2 Operational Risk Losses arising from inadequate ▪ Applying and regular testing of process or systems, insufficient or NBQ and service provider inadequately trained or supervised business continuity and disaster staff, fraud, or error on part of the recovery plans. outsourcing service provider. ▪ Monitoring of compliance with Operational risk may arise from: NBQ’s outsourcing policy. ▪ Failure of systems ▪ Well defined SLAs and regular ▪ Non-Compliance with NBQ’s monitoring of service provider policies and procedures by performance internal staff ▪ Regular assessment of controls ▪ Service provider failing to for outsourced activities. comply with contract and SLA. ▪ Service provider failing to fulfill its obligations towards NBQ due to lack of financial capacity ▪ Internal or External Fraud. 3 Compliance Risk Failure by the outsourcing provider to ▪ Early and active involvement of adhere to laws and regulations or control units (Compliance, NBQ’s policies, standards, or codes of Internal Audit and Risk conduct. Management) in outsourcing initiative. 4 Reputational Risk Any risk that may affect NBQ’s ▪ Thorough due diligence of service reputation, arising from: provider references ▪ In-adequate service provided ▪ NBQ should maintain reputational to NBQ’s customers policy and ensure service ▪ Service Provider does not provider compliance. maintain NBQ’s standards of professionalism and code of conduct. 5 Vendor Lock-in and Risk to the business continuity of ▪ Maintain a comprehensive Business Continuity NBQ’s operations arising from: business continuity plan. Risk ▪ Inadequate contractual and ▪ Service provider maintains and practical arrangements to tests business continuity plan ensure an outsourced ▪ Ensuring the availability of business activity can be either alternate service providers transferred to another service ▪ Ensuring outsourcing agreement provider or to NBQ itself includes well-defined provisions without undue delay or for exit criteria and strategy discontinued without ▪ Ensuring availability of adequate significantly disrupting NBQ’s in-house resources to perform operations or its ability to service/process in case of service manage risks. provider failure ORM/POL.04 Revision 01 (15-JUN-2022) Page 7 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Sn. Outsourcing Definition Suggested Controls Risk 6 Transitional Risk Risk during the transition of ▪ Reviewing vendor experience in service/product/process to service implementing similar transitions provider arising from: ▪ Ensuring the drafting of a well- ▪ Inability to transfer assets, defined customer communication experience, and employees to and complaint resolution strategy service provider in transition plan ▪ Customer related issues ▪ Comprehensive transition plan by during transition (service NBQ, service provider and sub- outage, lack of contractors (if-relevant). communication). 7 Legal Risk Fines, Penalties and Legal disputes ▪ Ensure that service provider is levied against NBQ, arising from: compliant with all relevant laws ▪ Non-compliance with relevant and regulations regulations and legislations by ▪ Review service provider’s service provider compliance controls ▪ Failing to obtain customer ▪ Ensure customer agreements, acknowledgment and consent reserve the right of NBQ to for outsourced outsource all or part of products/processes/services. product/service delivered. 8 Concentration Risk Risk arising from: ▪ Ensuring that during selection ▪ Relying on the same process NBQ’s outsourcing outsourcing service provider register is reviewed by initiating for multiple outsourcing department to avoid excessive arrangements outsourcing to same service ▪ Reliance by different provider. outsourcing providers on the ▪ Reviewing service provider sub- same outsourcing sub- contractors during due diligence contractors. against sub-contractors of already outsourced services. ▪ Ensuring outsourcing agreements define the extent of sub- contracting allowed and service provider obligations to seek NBQ’s approval prior to material sub-contracting. 9 Governance & Risk arising from: ▪ Drafting, maintaining and Internal Control ▪ Excessive outsourcing as a monitoring compliance with, Risk whole in specific domain or NBQ’s overall risk appetite for department outsourcing activities ▪ Over reliance on third parties ▪ Defining, maintaining and in the operations of the monitoring compliance with, business. NBQ’s sourcing strategy ▪ Defining maximum allowed outsourcing per business line / department. ORM/POL.04 Revision 01 (15-JUN-2022) Page 8 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Sn. Outsourcing Definition Suggested Controls Risk 10 Confidentiality Risk Risk arising from: ▪ Ensuring that shortlisted service ▪ Service provider failure to provider sign a non-disclosure maintain confidentiality of agreement during selection phase classified NBQ information ▪ Reviewing service provider during selection phase access rights policies to ensure ▪ Service provider failure to adequate control of access to maintain confidentiality of NBQ confidential information customer information ▪ Ensuring that outsourcing ▪ Service provider failure to agreements contain define the maintain confidentiality in the service provider’s responsibility to event of termination of maintain confidentiality in the outsourcing agreement event of termination. 11 Contractual Risk Risk arising from NBQ’s in-ability to ▪ Review of the outsourcing enforce articles included in the agreement by NBQ’s legal outsourcing agreement. counsel and external counsel with experience in outsourcing agreements if deemed necessary ▪ Clearly defined service level agreements to be included in outsourcing agreements ▪ Clearly define obligations for each party to the outsourcing agreement. 12 Aggregate Risk Risk arising from all outsourcing ▪ Ensuring that the outsourcing arrangements and the marginal risk of register is reviewed during risk any outsourcing arrangement, assessment to aid in identification resulting in NBQ’s inability to manage of aggregate risk its overall outsourcing risk due to lack ▪ Ensuring that overall risk arising of resources, and excessive controls from outsourcing is identified, required to maintain adequate risk measured and monitored management. ▪ Ensuring the risk appetite for outsourcing defines the maximum aggregate risk level. 13 Information Risk arising from: ▪ Ensuring that adequate policies Security Risk ▪ Service provider breaches of and procedures for data data protection. protection are in place ▪ Ensuring that service provider maintains data protection procedures in line with NBQ’s policies. 14 Access Risk Risk arising from: ▪ Ensuring a thorough due ▪ NBQ’s inability to obtain diligence process of service information relevant to the providers outsourced activity or required ▪ Well defined outsourcing by the UAE Central Bank agreement clauses, reserving the ▪ In ability of the Central Bank of right of NBQ and the UAE Central the UAE to obtain information Bank to access information and necessary for fulfilling its data. supervisory duties. Risk Arising When Outsourcing Outside the UAE: in addition to the risks mentioned above in case of outsourcing outside the UAE, the following risks must be explicitly considered: ORM/POL.04 Revision 01 (15-JUN-2022) Page 9 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 1. Changes in the economic, social, political, legal or regulatory conditions and their effect on the ability of a service provider outside the UAE to fulfil the terms of the agreement. 2. Higher level of operational risk due to poor infrastructure in another jurisdiction 3. Legal risk arising from differing laws and possible shortcomings in the legal system in the countries where the service is provided 4. Reputational risk arising from outsourcing outside the UAE II. Materiality of Outsourcing Arrangements: Overview of Materiality Assessment Process: In order to determine the materiality of an outsourcing initiative the following factors will be considered in the assessment: 1. The impact of the outsourcing arrangement on NBQ’s overall strategy and its ability to execute it 2. The impact of the outsourcing arrangement on NBQ’s operational performance and its ability to control its own performance 3. The impact of the outsourcing arrangement on NBQ’s financial performance and the control over its own performance 4. The impact of the outsourcing arrangement on NBQ’s ability to manage and control its own risks 5. The impact of the outsourcing arrangement on NBQ’s reputation in case of service provider failure or negligence 6. The impact of the outsourcing arrangement on NBQ’s ability with its legal and regulatory requirements 7. The nature of the data shared as part of the outsourcing arrangement. Responsibilities: The initiating department is ultimately responsible for undertaking the materiality assessment, the roles of other stakeholders are defined in the materiality assessment procedure. Board Approval: In case the outsourcing initiative is deemed to be material, the initiating department is responsible for seeking the approval of the Board of Directors. 1.7 Overview of Outsourcing Lifecycle 1.7.1 Outsourcing Strategy Analysis Phase A. Requirement Gathering: The outsourcing strategy analysis phase begins with initial analysis of the process/product/service considered for outsourcing, with the aim of taking the decision on whether to perform the function in- house or through an external service provider. The initiating department in this phase designates a Responsible officer who in turn prepares a statement or requirements document containing the following: ▪ Objectives of the product/service/process under consideration and its scope ▪ Summary of technical requirements ▪ Summary of functional requirements from relevant departments ▪ Full description of product/service/process ▪ Service level requirements ▪ Reporting and regulatory requirements relating to product/service/process ▪ Fines and penalties that can be levied against NBQ in case of service level non-compliance ORM/POL.04 Revision 01 (15-JUN-2022) Page 10 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Despite at this stage the decision to outsource not yet being the initiating department and its designated responsible officer must consider the following: ▪ Terms of the outsourcing agreement (cost, duration, etc.) ▪ Confidentiality of data involved and information security requirements if outsourced B. Drafting Business Case: Approval in Principle: Once the statement of requirements is submitted by the designated responsible officer, it is reviewed by the head of the concerned department who provides an approval in principle to proceed with drafting of the Business case. Drafting of Business Case: Following the approval of the initiating department’s manager the responsible officer prepares a business case containing the following: ▪ Executive Summary ▪ Summary of product/service/process being considered for outsourcing ▪ Previously prepared statement of requirements ▪ Desired service levels ▪ Cost of outsourcing product/process/service, including direct service provider related costs and any indirect costs to be incurred by NBQ ▪ Income Estimates and Breakeven points (if relevant) ▪ Recommendation to outsource product/process/service to a third-party service provider ▪ Analysis of the available in-house human resources and technology to perform the product/service/process in-house ▪ Comparison between costs and revenue of outsourcing product/service/process vs keeping it in-house. ▪ Regulatory requirements relating to the product/process/service. 1.7.2 Initial Risk Assessment The Business Case: The Initiating Department performs an initial risk assessment which at a minimum will consider the key risks of outsourcing outlined in section 1, sub-section VI of this policy. Incorporation into Business Case: Following the completion of the initial risk assessment the suggestions of adequate controls and mitigants by reviewers are incorporated into the Business Case by the Initiating Department. 1.7.3 Materiality Assessment The outsourcing initiative is given a materiality score by the Initiating Department and then reviewed by all relevant stakeholders considering the factors outlined in Section 1, sub-section VII of this policy and following the procedures set out in the materiality assessment procedures. In case the activity is determined to be material the Board of Directors is notified that outsourcing of a material business activity is being considered and the initiating department is responsible for seeking their approval on the Business Case. 1.7.4 Project Charter/Team Set up After the Board approval to proceed is granted a project charter is drafted by the responsible officer outlining the finalized scope of the outsourcing initiative in addition to a high level timeline and the ORM/POL.04 Revision 01 (15-JUN-2022) Page 11 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 team for the project which as a minimum must include, a responsible officer from the initiating department , PMO, Information technology, Compliance, Operational Risk and Information Security departments in addition to any other relevant departments considering the nature of the activity to be outsourced. 1.7.5 Initiation & Selection Phase Following approval to outsource the service/product/service to a third-party provider, a long list of service providers is created, and the service provider selection process outlined below begins. 1. Service Provider Selection Process: a) Service Provider Selection Committee: A service provider selection committee is created made up of the project team in addition to other members deemed necessary based on the nature of the activity under consideration, the committee is responsible for setting the scoring & evaluation criteria for service providers and documenting the process. b) Non-Disclosure Agreement NBQ must ensure that all measures are taken to protect the confidential information of the Bank and its customers As such a non-disclosure agreement will be prepared by NBQ’s legal department prior to engaging in any agreements with service providers for outsourcing material business activities Alternatively, during the selection phase an NDA, provided by the service provider would be considered sufficient if the legal department reviews and approves it. The outsourcing agreement must include clauses preventing the service provider from divulging information about NBQ or its clients. c) Request for Proposal: After the signature of service providers is obtained on the non-disclosure agreement a request for proposal (RFP) is issued by the responsible officer, the RFP will have the following characteristics: ▪ Standardized format for all service provider ▪ Make a distinction between functional, technical and implementation requirements for ease of scoring ▪ Issued to a minimum of three shortlisted service providers In the event that the project team, wishes to seek an exemption from issuing and considering 3 service providers for the outsourcing of a material business activity, sign off and approval from Board of Directors has to be obtained. d) Due Diligence A due diligence review will be conducted on all shortlisted vendors the review will include as a minimum the following factors: ORM/POL.04 Revision 01 (15-JUN-2022) Page 12 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 ▪ Ability, including financial capacity, to meet the requirements of the arrangement and deliver the service reliably ▪ Experience with similar agreements and services ▪ Governance, internal control, internal audit, reporting and monitoring capabilities ▪ Security, including cyber security, fraud management ▪ Staffing, including employee qualifications and expertise ▪ Country risk factors and legal environment where applicable In cases of service providers located outside the UAE the following factors have to be taken into consideration: ▪ In the event that the service provider is domiciled in a jurisdiction that can provide the same level of safeguarding of Confidential Data that would apply if the data was kept in the UAE, NBQ cannot outsource to the service provider ▪ In the event that the service provider is storing data as part of the outsourcing arrangement and is domiciled or stores data in a jurisdiction where bank secrecy or other laws that restrict or limit the access of the UAE central bank to data necessary for supervisory purposes, NBQ cannot outsource to the service provider ▪ As part of the due diligence process for service providers outside the UAE, NBQ must ensure that the service provider is in compliance with all relevant personal data protection legislation and regulations ▪ In case of sub-contracting by the service provider which entails the sharing of confidential data, NBQ must ensure that the sub-contractor is in compliance with the UAE Central Bank’s obligations regarding the sharing of data outside the UAE In cases where the Due Diligence review, indicates a potential conflict of interest between a member of the selection committee and a service provider under consideration for outsourcing, the committee member in question is replaced with a representative from the same department. The procedures to be followed while undergoing due diligence of service providers is contained in the due diligence procedures document. e) Service Provider Approval: After evaluation and due diligence of shortlisted service providers, the selection committee drafts a report containing its recommendation for the service provider, the report should contain the scoring criteria used along with supporting reasons for the recommendation. The report is sent to the manager of the initiating department for review and sign off prior to onward sign off by the Chief Operating Officer on the service provider recommendation. Post CEO-sign off on the choice of service provider, and in the case of Material Outsourcing the recommendation is presented to the Board which approves the choice of service provider. f) UAE-CB Non-Objection Following Board approval of the recommended service provider, the process for obtaining the non-objection of Central Bank, begins as outlined in Section 1, Sub-Section V, Paragraph 4 of this document. ORM/POL.04 Revision 01 (15-JUN-2022) Page 13 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 g) Contract Negotiation All outsourcing arrangements must be governed by formal contracts clearly defining all material aspects to the outsourcing arrangement. Minimum Contract Requirements: All outsourcing agreements must contain the following minimum requirements: 1. Scope of the arrangement, the services to be supplied, and the rights and responsibilities of all parties involved. 2. Pricing and fee structure. 3. Service level and performance requirements. 4. Governance, security, audit, reporting and monitoring procedures. 5. Business continuity and disaster recovery management. 6. Confidentiality, privacy and security of information. 7. Default arrangements and termination provisions, addressing also premature termination for any reason 8. Liability, indemnity and insurance. 9. Compliance with anti-money laundering and combatting the financing of terrorism laws and regulations. 10. Start and end date of the agreement, and provisions for reviewing, renewing or terminating the agreement. 11. Dispute resolution arrangements, including designation of the legal jurisdictions that will apply. 12. Whether subcontracting is allowed and under which conditions. 13. Protection of Bank’s and its customers’ data handled as part of the agreement. 14. Requirements for the outsourcing service provider to notify the Bank without undue delay of any breach of the Bank’s data, in particular breaches of Confidential Data; and 15. Right of the Central Bank, and any agent appointed by the Central Bank, to conduct on- site visits at the outsourcing service provider and obtain any data or information from the outsourcing service provider required for supervisory purposes. h) Controls Relating to Data Protection: Information Security is responsible for drafting policies that ensure data integrity, confidentiality and accessibility, covering the following minimum areas: 1. Access rights management, including but not limited to policies for granting and revoking access rights and a periodic review of user privileges. 2. Protection against digital and physical attacks. 3. Protection of the integrity of data. 4. Audit trails. 5. Measures to detect, react to, and recover from data security incidents. Outsourcing agreements must ensure that the service provider’s data protection policies provide at least the same level of data protection that would apply had the product/service/process remained in-house. ORM/POL.04 Revision 01 (15-JUN-2022) Page 14 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 i) Additional Controls in Case of Outsourcing outside the UAE: ▪ In cases of outsourcing outside the UAE, NBQ must establish policies and procedures within the agreement regarding the control and monitoring of activities involving the sharing of data outside the UAE. ▪ In cases of outsourcing outside the UAE which includes sharing of confidential data, concrete security requirements must be defined in the agreement, additionally NBQ staff must be trained in respect of these requirements. ▪ In cases of outsourcing outside the UAE, the agreement must ensure that the service provider maintains an appropriate level of information security and service delivery. 1.7.6 Transition Phase The Transition Phase begins upon approval of the Central Bank for the outsourced activity and signature of the agreement with the service provider. 1. Transition Team/Plan Upon the start of the transition phase, an internal transition team is formed comprising the same member as the project team in addition to any further departments required depending on the nature of the outsourcing arrangement. Following the formation of the team, a detailed plan for the transition is drafted with the service provider, covering timelines, key milestones, approach and responsibilities of each party during the transition. 2. Testing Controls During the transition phase it is essential that the controls of the service provider be tested for adequacy and completeness, tests should cover the following areas: ▪ Compliance Testing: to ensure that controls, processes and elements relating to the service’s provider compliance program are designed appropriately and functioning as required. ▪ Performance Testing: to ensure reliability of the service provider’s product, service/process ▪ User Acceptance Testing: validating that service delivery matches NBQ’s requirements ▪ Security Testing: Validating those controls relating to information security and data protection are as per NBQ’s requirements 3. Joint Governance Set-Up In order to ensure the availability of communication channels between NBQ and its service providers, joint governance committees for outsourced material business activities are to be established during the transition phase. Two committees should be established: ▪ Steering Committee: comprised of NBQ and service provider senior management, for resolution of conflicts and major decisions. ▪ Working Committee: comprised of relevant department heads and project leads from outsourcing service provider. ORM/POL.04 Revision 01 (15-JUN-2022) Page 15 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Additionally, during the transition phase, the meeting frequency for each committee will be agreed upon between NBQ and the service provider. 4. Business Continuity Plan: During the transition phase NBQ shall require its service provider to take the following measures in order to ensure business continuity in case of failure: ▪ Establish a framework for documenting, maintaining and testing business continuity ▪ Establish a testing schedule for its business continuity and recovery plan ▪ Establish a high-level timeline for joint tests of business continuity and disaster recovery During the transition phase NBQ shall perform the following activities with regards to business continuity: ▪ Integrate the outsourced service into the Bank’s Business continuity and disaster recovery plan ▪ Ensure that internal stakeholder’s and service provider are ready to implement business continuity plan, joint tests may be scheduled during transition depending on the criticality of the outsourced activity ▪ Establish a plan to transition the service to an alternate provider or back in-house in case of service provider failure, plan should include estimates of cost, time and resources required to implement. During the transition NBQ and the service provider should jointly establish the framework for invoking contingency arrangements 1.7.7 Value Delivery Phase 1. Performance Monitoring: The PMO will assist the business owners or responsible officer with the development of a performance audit program to assess the vendors compliance with agreed upon service levels and quality of services. The scope of review, frequency and the supporting documentation needed will vary depending on the complexity of the service provider relationship and the product or service being provided. In general, the scope of the performance audits will include the following: ▪ Vendor Relationship Oversight ▪ Service Level Agreements ▪ Quality of Services ▪ Contract Terms ▪ Billings and Disbursements 2. Service Provider Audits: Outsourced activities remain fully in scope of Bank’s audit and compliance responsibilities, as such the following will apply with regards to service provider audits: ▪ Regular audits by either the internal auditors or external auditors of the bank should assess the adequacy of the risk management practices adopted in overseeing and managing the outsourcing arrangement, the bank’s compliance with its risk management framework and the requirements of these guidelines. ORM/POL.04 Revision 01 (15-JUN-2022) Page 16 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 ▪ The bank should at least on an annual basis, review the financial and operational condition of the service provider to assess its ability to continue to meet its outsourcing obligations. Such due diligence reviews, which can be based on all available information about the service provider should highlight any deterioration or breach in performance standards, confidentiality, and security, and in business continuity preparedness. ▪ The bank’s Compliance Department would be responsible for reporting any suspicious transaction or activities to CBUAE in respect of the bank’s customer related activities carried out by the service providers 3. BCP Tests: The Bank should regularly test its business continuity plan in order to ensure that in the event of service provider failure during the value delivery phase NBQ shall: ▪ Periodically test its business continuity plan and check internal preparedness to implement it ▪ Periodically re-assess its plan to transition the service in-house or to a different service provider ▪ Review and audit the results of the service provider’s business continuity tests. 4. Risk Monitoring: Ongoing Risk Monitoring of Outsourced Material Business Activities shall be conducted through a three lines of defence model: ▪ First Line of Defence: The initiating department and the assigned responsible officer are responsible for identifying, assessing and mitigating risk activities and implementing controls consistent with NBQ policy ▪ Second Line of Defence: Operational Risk, Information Security and compliance assist in supporting service provider management by monitoring and performing other oversight activities ▪ Third Line of Defence: Internal Audit provides the Board of Directors and Senior Management with reports assessing the effectiveness of NBQ’s risk management policies 5. Contract Review: The following describes the minimum requirements for review of outsourcing contracts: ▪ All outsourcing contracts are to be reviewed consistently and regularly. The frequency of review depends on the nature of the arrangement ▪ Each agreement is to be reviewed individually, however all agreements are to be reviewed annually 1.8 Ownership, Roles and Responsibilities Operational Risk Unit, reporting to the Head of Risk is the owner and custodian of this policy and shall be responsible for reviewing and updating of the policy document at least annually. Any changes to this policy document should be approved by the Board. 1.8.1 Roles and Responsibilities of the Board The Board of the Bank, or Risk Committee or EXCO as delegated by Board would be responsible as follows: ORM/POL.04 Revision 01 (15-JUN-2022) Page 17 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 1. Approving a framework to evaluate the risks and materiality of all existing andprospective outsourcing and the policies that apply to such arrangements. 2. Laying down appropriate approval authorities for outsourcing depending on risks and materiality. 3. Undertaking regular review of outsourcing strategies and arrangements fortheir continued relevance, and safety and soundness and 4. Deciding on business activities of a material nature to be outsourced and approving such arrangements. 1.8.2 Roles and Responsibilities of Senior Management The Senior Management of the Bank would be responsible for: 1. Evaluating the risks and materiality of all existing and prospective outsourcing, based on the framework approved by the Board based on the risk appetite. 2. Developing and implementing sound and prudent outsourcing policies andprocedures commensurate with the nature, scope, and complexity of the outsourcing. 3. Reviewing periodically the effectiveness of policies and efficiency of theprocedures. 4. Communicating information pertaining to material outsourcing risks to the Board in a timely manner. 5. Ensuring that contingency plans, based on realistic and probable disruptive scenarios, are in place and tested. 6. Ensuring that there is independent review and audit for compliance with set policies. 7. Undertaking periodic review of outsourcing arrangements to identify new material outsourcing risks, as they arise. 1.8.3 Roles and Responsibilities of Departments Table (4) below outlines the main roles and responsibilities of departments across the outsourcing life cycle. Sn Department Outsourcing Initiation & Transition Value Delivery Strategy Selection Analysis 1 Initiating 1. Develop the 1. Provide input in 1. Validate 1. Provide necessary Department statement of crafting the long Service information to requirements list of service provider compliance and risk 2. Develop the providers delivery departments for the Business Case 2. Establish criteria during UAT evaluation of for outsourcing for shortlisting 2. Define aggregate and Submit to and scoring of transition outsourcing risk the Board of service providers plan along 2. Annual (minimum) Directors in 3. Conduct the due with service review of service cases of diligence of provider & provider Material service providers PMO performance, Outsourcing 4. Define SLAs and 3. Ensure that financial and 3. Conduct initial performance outsourced operational condition risk expectations initiative is 3. Act as a first line of assessments of 5. Submit required included in defense for service proposed information for business provider risk outsourcing Central Bank continuity management and arrangement Non-objection to and highlight any contingency material risks that ORM/POL.04 Revision 01 (15-JUN-2022) Page 18 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Sn Department Outsourcing Initiation & Transition Value Delivery Strategy Selection Analysis 4. Conduct Compliance plans by may arise in addition materiality Department liaising with to adverse assessments of 6. Sharing of Operational developments in proposed outsourcing Risk performance outsourcing agreement with Department. standards, initiatives. legal team for confidentiality and review. business continuity readiness 4. Providing GSU with necessary information required to maintain outsourcing register 5. Sharing of previous audits and assessments during Central Bank inspections or as requested by Operational risk and Compliance departments 6. Inform Board of Directors Compliance department immediately in cases of material change or adverse developments in outsourcing arrangements 2 Operational 1. Review initial 1. Providing inputs 1. Review the 1. Periodic review of Risk risk to initiating outsourcing outsourcing risk and assessments department during contract for timely reporting to of proposed due diligence as relevant the Board in cases outsourcing to the business of material risk arrangement effectiveness of continuity 2. Ensure that risk 2. Review service provider’s and management materiality risk management contingency policies & assessments policies plans of the procedures in of proposed 2. Review service service addition to outsourcing provider Business provider. outsourcing initiatives. continuity plans guidelines are and assess for complied with adequacy. 3. Periodic testing of contingency plans. 3 PMO 1. Crafting of 1. Project 1. Assist in 1. Convene project Management for drafting of Governance plan/charter. the selection transition committees process. plan. 2. Assist initiating department in ORM/POL.04 Revision 01 (15-JUN-2022) Page 19 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Sn Department Outsourcing Initiation & Transition Value Delivery Strategy Selection Analysis service provider monitoring. 4 Legal 1. Provide 1. Providing 1. Counseling in case Guidance on guidance to of disputes the legal ensure that impact of service provider outsourcing is not in breach of initiative during any UAE law materiality 2. Review and assessments. assist in crafting of outsourcing agreements/SLAs to ensure enforceability and preserves NBQ’s and the Central Bank’s right to inspect. 5 Compliance 1. Provide 1. Review service 1. Report to UAE-CB in guidance to provider cases of termination initiating compliance with or material breaches department on UAE-CB of outsourcing adherence of regulations and agreements outsourcing provide 2. Regularly report to initiative to assessment of UAE-CB in cases of UAE-CB the same. outsourcing involving Regulations 2. Submission of the sharing of data 2. Provide inputs required outside the UAE with regards to documentation to 3. Reporting suspicious regulatory the UAE-CB for transactions to the impact during the purposes of UAE Central Bank. materiality availing their non- assessment. Objection. 6 Information 1. Provide inputs 1. Provide inputs 1. Assessment 1. Assist in the review Security to operational during due of the service of service provider risk department diligence on the provider’s controls relating to on data effectiveness of controls with information security protection and service provider regards to and data protection. information information security data security policies. protection aspects of the 2. Provide inputs and outsourcing during contract information initiative to aid negotiation to the security. the necessary controls assessment of to be included to risks and ensure, service materiality. provider adheres to NBQ information security policy. 7 IT 1. Assist in 1. Provide inputs 1. Provide reports to materiality during service Compliance in cases assessment by provider selection of data sharing providing input outside the UAE. ORM/POL.04 Revision 01 (15-JUN-2022) Page 20 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Sn Department Outsourcing Initiation & Transition Value Delivery Strategy Selection Analysis on scale of on technical data sharing. requirements. 8 Audit 1. Periodically review outsourcing arrangement and report deviations to the Board 2. Periodic Audits of service provider performance 3. Periodic independent audits of service provider security and control environment. 9 Finance 1. Assist Initiating Department in deterring financial impact on the Bank during materiality assessments. 1.9 Policy Statement The Bank should engage Service Providers who are reputed with good track record, preferably have office & provide service from UAE with minimal chances of disruption. Bank must ensure adequate due diligence, materiality assessment, risk control and mitigation and compliance to the regulatory requirements on all outsourcing initiatives. 1.10 Outsourcing in Compliance with Central Bank’s Consumer Protection Regulation 1. Disclosure of Employer a) Bank must require Authorized Agents to ensure that their representatives disclose and explain to Consumers the relationship between the Bank and the Authorized Agents (4.1.1.6) 2. Training, Competency and Ethical Conduct a) The Bank must verify and document that the staff of the Authorized Agents, who represents the Bank are properly trained, qualified and fully understand their obligations regarding the Financial Products and/or Services being offered and the standards of assessing Financial Product and/or Service for appropriateness, suitability, and affordability (5.1.1.52). b) The Bank must document and retain a record of training and qualifications of individual staff of the Authorized Agents who are employed by the Bank (5.1.1.58). 3. Accountability for Authorized Agents a) Bank must have a fit and proper policy and perform appropriate due diligence and verification before contracting with their potential Authorized Agents or renewing contracts. b) The policies must be reviewed annually or before if required and Bank must apply the fit and proper policy based on the type of activity being insourced or outsourced and shall document the process and results (5.1.1.80). ORM/POL.04 Revision 01 (15-JUN-2022) Page 21 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 c) NBQ is accountable and liable for ensuring that Authorized Agents remain fit and proper and fully understand the Bank’s control framework and agree to comply with all Applicable Laws and Regulations in place (5.1.1.81). d) The contract must include provisions for the Bank and the Central Bank the ability to access, verify and ensure compliance with all applicable Laws and Regulations (5.1.1.82). 4. Control Conflict of Interests a) The Board of the Bank must have in place adequate control framework to ensure that any Outsourcing or insourcing arrangement does not create situations of Conflict of Interest. Any Outsourcing or insourcing arrangement must be subjected to appropriate due diligence, fit and proper approvals and ongoing monitoring in order to identify and mitigate risks of any Conflict of Interest (5.2.3.6) 5. Policies, Procedures and Systems a) Bank must protect Consumer Data and maintain the confidentiality of the Data, when it is held, accessed or used by the Authorized Agents (6.1.1.2). 6. Expressed Consent by Consumers a) Bank must obtain informed and expressed consent of a Consumer before transferring the Consumer's Personal Data to Authorized Agents for direct marketing. A copy of the expressed consent must be retained for 5 years after the relationship with the Consumer has terminated (6.1.3.4). b) The Consumer shall have the right to withdraw expressed consent at any time, regarding the Personal Data sharing with Authorized Agents and other third parties for purposes such as but not limited to sales and marketing (6.1.3.5.b) 7. Sharing with Authorized Agents a) Bank must ensure that the Authorized Agents to whom some part or the entire delivery of the Financial Product and/or Service is outsourced meet the fit and proper policy regarding Data management and protection including secure handling procedures and applying proper controls (6.1.4.1). b) The access to customer’s Personal Data by Authorized Agents must be properly authorized in writing, regularly monitored, and appropriately restricted in line with the purpose of the access given. (6.1.4.2) c) All legal contracts with Authorized Agents relating Outsourcing of functions and services must include appropriate provisions for safeguarding confidentiality of Personal Data and must prohibit the unauthorized disclosure of confidential Personal Data by Authorized Agents. (6.1.4.2 ) d) The Authorized Agents must report to the Data Management and Protection Function significant breaches of Personal Data. The Licensed Financial Institution’s obligation to protect all Consumer Data extends to the actions of all Authorized Agents. (6.1.4.2 ) e) Where Personal Data is shared and retained outside of the Bank's own network such as with Authorized Agents, NBQ and Authorized Agents must use encryption techniques to suitably encrypt Consumer Data and take measures for the secure transfer of Data. (6.1.4.3 ). f) NBQ is responsible for ensuring any outsourced technology using or retaining Personal Data meets the highest standards of security, encryption and protection and are regularly audited and verified for vulnerabilities. (6.1.4.4). g) In the event of a termination of an Outsourcing contract with a Third Party, the Bank must ensure and be able to demonstrate that all Personal Data is either retrieved from the Third Party and/ or is destroyed. (6.1.4.5 ) h) The sharing of customer data to Third Party will only be allowed once expressed consent from the customer has been obtained and recorded. (6.1.4.6) ORM/POL.04 Revision 01 (15-JUN-2022) Page 22 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 i) The Bank must confirm in any contract with a Third Party that the Third Party has no further right to share the customer data or use it for other unauthorized purposes unless required by the laws in UAE. (6.1.4.6) j) Bank must effectively perform and document the due diligence measures when verifying the background and competence of any Third Party that will represent the Bank and/or have access to or possession of the Consumer’s assets, information and Data (6.2.1.12) k) Bank must ensure that the Authorized Agents have equivalent level of fraud control, coordination and monitoring for all activities performed by their Staff on behalf of the Bank. (6.2.1.13). 1.11 Policy and Procedure Interactions / Connections 1. Risk Governance Framework: NBQ is fully responsible for the risks arising from any process or activity outsourced by the Bank. The UAE-CB Outsourcing regulations and standards as part of its guidance for risk management and governance states that as a minimum the following policies are to be included in NBQ’s Risk Governance Framework: a. Policy for the assessment of materiality, which requires the approval of the Board of Directors in case of material outsourced business activities. b. Policies and Procedures for the identification, mitigation, and management of potential conflicts of interest in outsourced business activities c. Policies and Procedures defining the roles and responsibilities of the Banks’s departments, internal control functions and determining the involvement of each across the stages of the outsourcing life cycle. d. Policies and Procedures to ensure material risks relating to outsourcing are identified, measured, managed or mitigated and reported to the board e. Policies and Procedures ensuring that outsourced business activities are covered as part of NBQ’s disaster recovery plan and that vendors have their own business continuity plans and are prepared to implement them. This Risk Governance Framework provides a Group-wide view of the risks associated with outsourcing including and services the Bank provides to, or receives from other group members, if applicable. This document incorporates the minimum policies and procedures recommended by the UAE-CB and is such is to be considered a part of NBQ’s overall risk governance framework. 1.12 Annexures / Attachments / Supporting Documents General Documents: A general principal underpinning the UAE-CB guidelines for prudent management of outsourcing activities is that outsourced activities should provide equivalent information security, risk management and service delivery as if the activity had been performed in house, as such the following documents are to be consulted throughout the outsourcing life cycle: a. Business Strategy Documents b. Business Continuity Plan c. Information and Communication technology policies. d. Information Security Policies e. Operational Risk Management Policies ORM/POL.04 Revision 01 (15-JUN-2022) Page 23 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 f. SLAs and service levels for processes considered for outsourcing. 1.13 Key Controls / Management Reports Overview of Regulation Key Principle: The Key principle underpinning UAE-CB regulation is that outsourcing arrangements should not impair the Bank from carrying out its responsibilities towards its customers and the Central Bank, furthermore any outsourcing arrangement should not impede the Central Bank’s effective supervision of the activity. Figure (1) gives a brief overview of the regulation and accompanying standards. Figure (1): Main Areas of Concern: As outlined above the UAE-CB’s regulation and standards span 9 sub-topics across three main areas of Governance and Monitoring, Communication with the Central Bank and Special consideration for issues of Data, Outsourcing outside the UAE and Islamic Banking. Responsibilities of the Compliance Department: The Compliance Department is responsible for providing guidance to other functions regarding the Central Bank’s regulations and seeking the non- objection of the Central Bank prior to business activities being outsourced. NBQ Responsibilities: The responsibilities of NBQ as outlined by UAE-CB Outsourcing Regulation are as follows: a. NBQ is responsible for the compliance with all relevant laws and regulations applicable to its outsourced activities. b. NBQ is responsible for ensuring compliance with all applicable UAE legislation and regulations in managing and processing data when outsourcing. c. NBQ must ensure that they retain ownership of all data provided to an Outsourcing service provider, and that their customers retain ownership of their, including but not limited to confidential data and can effectively exercise their rights and duties in this regard. ORM/POL.04 Revision 01 (15-JUN-2022) Page 24 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 d. NBQ must ensure that its data is secured from unauthorized access including unauthorized access by the Outsourcing service provider or its staff. Outsourcing Register: Objective: The aim of the outsourcing register is to provide an overview for both internal and external parties of NBQ’s outsourcing initiatives, as such the outsourcing register shall contain the data outlined in table (1) as a minimum. Table 1 Sn Category Item 1.1 General Description of Outsourced Service 1.2 General Service Provider Name 1.3 General Start/End Dates of Engagement 1.4 General Category (Sub-Contractor/Service Provider) 1.5 General Country of Registration of Service Provider 1.6 General Type of Outsourcing (Intra-Group/ Third Party) 2.1 Materiality Materiality of Outsourced Services 2.2 Materiality Date (if applicable) of CB-UAE non-objection for outsourcing of activity 2.3 Materiality Date of latest Materiality Assessment Reason (if -applicable) for change in level of materiality during latest 2.4 Materiality assessment 3.1 Risk Level of Residual Risk of Outsourced Service 3.2 Risk Description of Residual Risks of Outsourced Service 3.3 Risk Date of Latest Risk Assessment 3.4 Risk Reason (if-applicable) for change in Risk level during latest assessment 4.1 Data Does the Outsourced Service include sharing of Data (Yes/No) 4.2 Data Type of Data being shared (confidential/non-confidential) Does the Outsourced Service Include sharing of confidential data 4.3 Data outside the UAE In case of Data sharing outside the UAE has the approval of the Central 4.4 Data Bank been obtained Date of approval for sharing of confidential data outside the UAE (if 4.5 Data applicable) In case of sharing of customer confidential data outside the UAE, has 4.6 Data the written consent of the customer been obtained? ORM/POL.04 Revision 01 (15-JUN-2022) Page 25 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Sn Category Item Jurisdiction outside the UAE to which data is shared as part of 4.7 Data outsourcing arrangement Does Service Provider sub-contract elements of service that include the 4.8 Data sharing of confidential data (Yes/No) Business 5.1 When did the service provider last test business continuity plan Continuity Business Where the results of the latest business continuity test Satisfactory 5.2 Continuity (Yes/No) Business 5.3 Have alternate service providers been identified Continuity Management of Outsourcing Register: It is the responsibility of the General Services Unit (GSU), to maintain and keep up to date the outsourcing register. Initiating Departments indicated as owners for specific entries of the register are responsible for providing GSU with information and promptly informing the department in case of any changes. Review of Outsourcing register: Risk Management, Compliance and Internal Audit Departments are responsible for periodic review of outsourcing register Submission of Outsourcing Register: The Compliance department is responsible for the submission of the Outsourcing Register to the Central Bank upon request after seeking the consent of the Board of Directors. I. Reporting Requirements a. Compliance Department is required to report on the Bank’s Outsourcing arrangements in the format and frequency prescribed by the UAE Central Bank. b. Compliance department is responsible for the submission of the outsourcing register as mentioned above. c. The Compliance Department must immediately notify the Central Bank when they become aware of a material breach of the terms of an outsourcing agreement, or other development with respect to an outsourced Material Business Activity, that has, or is likely to have, a significant impact on the Bank’s operations, reputation, or financial condition. d. In case of a request by the CBUAE for specific information with regard to the Bank’s outsourcing arrangements, the Compliance department is responsible for the submission of the required information. II. Non-Objection by the Central Bank Requirement: Prior to entering into an agreement to outsource a material business activity, the Bank must seek the non-objection of the Central Bank. Minimum Documentation: The following minimum documentation presented in Table (2) is to be included in the request for non-objection. Table 2 Sn Documentation Ownership 1 Brief explanation of the activity to be outsourced. Initiating Department 2 Summary of the Materiality assessment performed Initiating Department ORM/POL.04 Revision 01 (15-JUN-2022) Page 26 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 Sn Documentation Ownership 3 Summary of the Risk Assessment Initiating Department 4 Summary of the Due Diligence Performed and its Initiating Department outcome 5 Confirmation of agreement of internal audit and Internal Audit/Compliance compliance functions 6 An Overview of any closely related outsourcing Initiating Department agreements 7 Confirmation of compliance with the requirements of Compliance Outsourcing for Banks Regulation 8 Evidence of approval of the proposed outsourcing by the Initiating Department Board or Board Committee Responsibilities: a. Owners indicated above are responsible for completing and submitting to the compliance function the required documentation upon approval of the Board of the Board of Directors, or its delegated parties (Risk Committee or Executive Committee), of the outsourcing of a material business activity. b. The compliance function is responsible for submitting required documentation to the Central Bank and communicating Central Bank feedback to the Board of Directors. c. Compliance function is encouraged to communicate pro-actively and coordinate with the Central Bank in order to avoid the non-objection process delaying outsourcing initiatives. d. Initiating Department is responsible for seeking board approval for outsourcing. III. Outsourcing Outside the UAE Master System of Record: NBQ must ensure that the Master System of Record, which includes all confidential data is continuously maintained and stored within the UAE. Central Bank Approval: In cases of sharing of confidential customer data outside the UAE, NBQ must seek the approval of the Central Bank Customer Approval & Acknowledgement: In cases of sharing of confidential customer data outside the UAE, NBQ must obtain prior written consent from the customer and his/her written acknowledgement that his/her confidential data may be accessed under legal proceedings outside the UAE in such circumstances. ORM/POL.04 Revision 01 (15-JUN-2022) Page 27 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 2. Approval Sign-off Prepared by (a): Initiator Section Name Designation Department Date Signature Abdulla Chemmala Asst. Manager, OR Operational Risk J. Nandkumar Senior Manager, OR Operational Risk Reviewed by (b): Stakeholder Section Name Designation Department Date Signature Rajesh Manager - ISC Information Security Balakrishnan Information Jayamohan ACIO – IT Technology General Service Unit Hessa Sebil Manager, GSU (GSU) Retail Banking Mike Tufail AGM – Head of Retail Division (RBD) Reviewed by (c): Mandatory Reviewer Section Ahmed Al Mulla Acting Head of Legal Legal Adnan Sajwani Head of Compliance Senior Management V. Patnaik Head of Risk Senior Management K.G. Pradeep CFO DGM Senior Management Reviewed by: Policy & Procedures Control Unit TBD Approved by (e): Approver Section Adnan Al Awadhi CEO Board of Directors / Board Committee (as applicable) *Note: Guidelines on signing authorities are as follows: Section (a): Initiator signoff to be signed by document owner, i.e. Head of the Department Section (b): Stakeholder signoff to be signed by Heads of Department whose processes are directly impacted by this document Section (c): Mandatory Reviewer signoff to be signed by Head of Department Legal and Senior Management Team, i.e. CFO DGM, Head of Risk and Head of Compliance Section (d): Approver section to be signed by the final approver/s of this document, i.e. CEO and/or Board or Board Committee, as applicable. ORM/POL.04 Revision 01 (15-JUN-2022) Page 28 of 29 Document Title Outsourcing Policy Document ID ORM/POL.04 Effective Date 15-JUN-2022 3. Revision Log Revision Revision Date Section Change Description No. 00 31-Oct-2021 All New policy document 1. Incorporated additional clauses and changed few roles and responsibilities of stakeholders, aligned to the Consumer Protection 01 30-MAR-2022 All Regulations (CPR) of CBUAE. 2. Format changed into the new Policy template. ORM/POL.04 Revision 01 (15-JUN-2022) Page 29 of 29

Risk - NBQ Outsourcing Policy vF.pdf

Document Details

Tags

Related

Full Transcript

Upgrade to continue